[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
how to tell client to use ssf=256 instead of ssf=128
- To: <openldap-technical@openldap.org>
- Subject: how to tell client to use ssf=256 instead of ssf=128
- From: Tobias Hachmer <lists@kokelnet.de>
- Date: Mon, 08 Oct 2012 19:42:57 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kokelnet.de; h= user-agent:message-id:subject:subject:from:from:date:date :content-transfer-encoding:content-type:content-type :mime-version:received:received:received; s=b1024; t=1349718178; x=1351532579; bh=DfxfFTkAXhqf8pkeOOTyznOCgkqP2IN4J8vXEGgPxLw=; b= P4NPx9lt+/Fk7g+vyzgjG0y34FGrr5OC1D7306KpWZ5UQNXQ7aOdyLu2qpqsxIH3 nOBHwHsdKhQNHuvmhRomx50MVcJToSveBjOxc9pgcJL2a6Y0hRKDyVBPKfMUgdqJ On7HknPZjE/T2F0hxy7WGCwzDS+dp0UmUtVJDPcUlQY=
- User-agent: Roundcube Webmail/0.8.1
Hello,
I'm using openldap 2.4.28 on ubuntu server and configured TLS.
I want to allow write operations only when ssf=256 is used. (security
update_ssf=256)
Certificates were set up with openssl CA.pl.
When I connect via
# ldapadd -Y EXTERNAL -ZZ -f /src/test.ldif
I get this:
SASL/EXTERNAL authentication started
SASL username: cn=ldapadmin,.............
SASL SSF: 0
adding new entry "dc=example,dc=com"
ldap_add: Confidentiality required (13)
additional info: stronger confidentiality required for update
the log says:
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 ACCEPT from
IP=127.0.0.1:56698 (IP=0.0.0.0:389)
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 STARTTLS
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 RESULT oid= err=0
text=
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 TLS established
tls_ssf=128 ssf=128
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="" method=163
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND
authcid="cn=ldapadmin,........." authzid="cn=ldapadmin,........"
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND
dn="cn=ldapadmin,......." mech=EXTERNAL sasl_ssf=0 ssf=128
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 RESULT tag=97 err=0
text=
Oct 8 19:38:14 ldap slapd[2205]: connection_input: conn=1003 deferring
operation: binding
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 ADD
dn="dc=example,dc=com"
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 RESULT tag=105 err=13
text=stronger confidentiality required for update
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=3 UNBIND
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 closed
1. Why is the client connecting with ssf=128?
2. Can I influence the ssf used by client, if yes, how?
3. Maybe a certificate issue?
Thanks in advance,
Tobias Hachmer